Intelligence-Sharing Suffers Growing Pains

For most organizations, intelligence-sharing remains mainly ad-hoc and informal -- and thus fraught with frustration and pitfalls, new report from Ponemon finds.

Target's epic data breach was the final push the retail industry needed to finally formalize threat and attack intelligence-sharing within its community. Retail until recently was one of the last high-profile holdouts to create its own official intelligence-sharing mechanism and the end product is likely to mirror the model of existing Information Sharing and Analysis Centers (ISACs) in other industries.

"We're not all in with an ISAC yet. We are sharing protocols and procedures we expect could be transformed into an ISAC," says David French, senior vice president for government relations at the National Retail Federation (NRF), who confirmed with Dark Reading last month that the retail industry was considering its own ISAC. "We've opened a sharing platform that will serve as a portal for the time being. It's not the same [model] as the FS-ISAC uses," but we are investigating that option, says French, whose organization last week announced the industry was making it official and going with its own intel-sharing model.

To date, some retailers have informally shared threat and attack experience and information among one another, and law enforcement and government entities haven't had a central place to share with retail their intel about active attacks and other types of threat information. "Our members told us they'd like to have information in real-time... [a central model] would give them a better understanding of what the threats are," says NRF's French. The plan is to stand up an intel-sharing platform or ISAC this summer, he says.

Most organizations consider intelligence-sharing crucial for fighting back against the bad guys: new data from the Ponemon Institute shows that 61% of organizations say threat intel could have prevented the cyberattacks they have experienced in the past 24 months. Only 30% of the organizations say they are "satisfied" or "very satisfied" with their current method of gathering threat intelligence.

When a company hit by a cyberattack shares some details of the attack with another firm, it typically gives them a call or shoots them an email with some intelligence on the malware or other fingerprints of the attack. It's then up to the recipient to manually translate that information into a format it can use to automatically protect itself from falling prey to that attack.

More than half of the respondents in the Ponemon survey get threat intel informally -- the most common method for many organizations -- via phone, email, or in-person meetings, and these methods can be too slow, inconsistent, and not to mention, far from secure. That gap of time between receiving the intel and converting it into something useful can make all the difference in deflecting or mitigating an attack. Nearly 70% of them say intel actually expires within seconds or minutes, and more than 50% have gotten this information in days, weeks, or months, rendering much of it useless.

Lars Harvey, CEO of IID, which commissioned the Ponemon report, says the most useful information is that which arrives within microseconds. "And they have to immediately apply it to their infrastructure – that is the most useful [approach] and helped prevent things [attacks] from happening," says Harvey of IID, a threat intelligence firm. "As time goes by, the value of the information diminishes."

Harvey says many organizations hesitate to enter into intel-sharing for legal reasons. "The doomsday scenario is someone misusing the information they share and causing harm, and the harmed party comes back to the original source looking" for compensation, for instance he says, even though the source had no control over how that information was shared. "That's what attorneys are most afraid of," he says. "Scaling trust is a big challenge."

Receiving information with context, rather than raw data, also is crucial, and there are plenty of interoperability challenges to automating a response to a threat within the organization, for example, he says. That's where emerging standards like Structured Threat Information eXpression, or STIX, and Trusted Automated eXchange of Indicator Information (TAXII) come into play. STIX is the intel-sharing language architecture and TAXII is the protocol for transporting that information. The two are seen as the future of creating a standard machine-readable language and transport for incorporating the latest threat information into an organization's security infrastructure.

Nearly 70% of the respondents in the Ponemon survey give real-time, machine-to-machine exchange of intelligence, a thumbs up. Sixty-two percent say current sharing relationships are typically limited by industry, geography, or community.

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

The financial services industry's FS-ISAC and the Defense industry's ISAC both are considered the gold standard for intel-sharing. "We've seen in a few industries, such as financial services and education, very effective programs for exchanging threat information. Other ISACs are not as mature and not as effective," IID's Harvey says.

"Information sharing and analysis centers (ISACs) are a proven way for organizations to hear from peer organizations about emerging advanced threats to data, criminal behavior patterns, best practices to manage risk, and as a forum to learn about how new technologies, like data-centric encryption and tokenization, can mitigate them economically," says Mark Bower, vice president of product management and solution architecture for Voltage Security. "Extending this to retail entities makes a lot of sense and facilitates a no-nonsense vehicle to solve problems quickly across industry participants."

Bower says getting firsthand perspective from victims who have suffered an attack is especially useful. "While advanced technology can solve big risk issues, one of the biggest gaps industry faces today is education and understanding the true cost and risk of advanced threats when they hit vulnerable entities," he says. That's where ISACs come in.

IID's Harvey echoed that: "The first key is identifying [activity] as an attack. Has anyone seen behavior like this? The more you know," the better, Harvey says.

"What was clear in our findings is that businesses and government agencies know that exchanging cyber threat intelligence will help secure the Internet more so than any other method or technology," says Larry Ponemon, Chairman and Founder of the Ponemon Institute, which surveyed 700+ IT and security professionals in enterprises and government agencies. "Yet what is really confounding is that while most of the people participating in the survey are clearly sharing cyberattack information, they know they aren’t doing it correctly or effectively."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.